CVE-2026-34909
published 2026-05-22CVE-2026-34909: A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system…
PriorityP194critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-06-26
Exploited in the wild
EPSS
2.27%
80.9th percentile
A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to access an underlying account.
Affected
64 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ubiquiti_inc | efg | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | envr | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | envr-core | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | express | < 4.0.14 | 4.0.14 |
| ubiquiti_inc | express_7 | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | ucg-fiber | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | ucg-industrial | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | ucg-max | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | ucg-ultra | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | uck | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | uck-enterprise | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | uckp | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | udm | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | udm-beast | < 5.1.11 | 5.1.11 |
| ubiquiti_inc | udm-pro | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | udm-pro-max | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | udm-se | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | udr | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | udr-5g | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | udr7 | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | udw | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | unas-2 | < 5.1.10 | 5.1.10 |
| ubiquiti_inc | unas-4 | < 5.1.10 | 5.1.10 |
| ubiquiti_inc | unas-pro | < 5.1.10 | 5.1.10 |
| ubiquiti_inc | unas-pro-4 | < 5.1.10 | 5.1.10 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for HTTP requests where the raw URI targets an authentication-exempt endpoint (e.g. /api/auth/validate-sso/) but resolves to a protected internal route after Nginx normalization — this is the authentication bypass mechanism for CVE-2026-34908/34909. ↗
- →Monitor requests to the package-update endpoint (ucs/update/latest_package) for unvalidated user input being passed into shell commands — this is the CVE-2026-34910 command injection sink reached after the auth bypass. ↗
- →Alert on unexpected sudo commands and child processes spawned under the 'ucs-update' service account, as the affected service account has passwordless sudo access making privilege escalation to root trivial. ↗
- →CVE-2026-34909 is part of a three-CVE chain (CVE-2026-34908 auth bypass → CVE-2026-34909 path traversal → CVE-2026-34910 command injection) actively exploited in the wild to deploy commodity malware; treat all three as a single attack surface. ↗
- ·The Bishop Fox detection script does NOT detect active attacks, past exploitation, or the presence of persistence mechanisms/backdoors — a clean result does not rule out prior compromise. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Ubiquiti UniFi OS Path Traversal Vulnerability
cisa·2026-06-23·CVSS 10.0
CVE-2026-34909 [CRITICAL] CWE-22 Ubiquiti UniFi OS Path Traversal Vulnerability
Vulnerability: Ubiquiti UniFi OS Path Traversal Vulnerability
Affected: Ubiquiti UniFi OS
Ubiquiti UniFi OS contains a path traversal vulnerability which could allow a malicious actor with access to the network to access files on the underlying system that could be manipulated to access an underlying account.
Required Action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 pa
VulDB
Ubiquiti UniFi OS Server path traversal (EUVD-2026-31384 / WID-SEC-2026-1639)
vuldb·2026-06-23·CVSS 10.0
CVE-2026-34909 [CRITICAL] Ubiquiti UniFi OS Server path traversal (EUVD-2026-31384 / WID-SEC-2026-1639)
A vulnerability was found in Ubiquiti UniFi OS Server, UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, UDM-Beast, EFG, UDW, UDR, UDR7, UDR-5G, Express 7, UNVR, UNVR-Pro, UNVR-Instant, UNVR-G2, UNVR-G2-Pro, ENVR, ENVR-Core, UNAS-2, UNAS-4, UNAS-Pro, UNAS-Pro-4, UNAS-Pro-8, UCKP, UCK, UCK-Enterprise, UCG-Ultra, UCG-Max, UCG-Fiber and UCG-Industrial. It has been classified as critical. Affected is an unknown function. The manipulation leads to path traversal.
This vulnerability is documented as CVE-2026-34909. The attack can be initiated remotely. Additionally, an exploit exists.
Upgrading the affected component is recommended.
GHSA
GHSA-95fp-244g-g3vr: A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying
ghsa_unreviewed·2026-05-22
CVE-2026-34909 [CRITICAL] CWE-22 GHSA-95fp-244g-g3vr: A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying
A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to access an underlying account.
VulnCheck
Ubiquiti UniFi OS Path Traversal Vulnerability
vulncheck·2026·CVSS 10.0
CVE-2026-34909 [CRITICAL] CWE-22 Ubiquiti UniFi OS Path Traversal Vulnerability
Ubiquiti UniFi OS Path Traversal Vulnerability
Ubiquiti UniFi OS contains a path traversal vulnerability which could allow a malicious actor with access to the network to access files on the underlying system that could be manipulated to access an underlying account.
Affected: Ubiquiti UniFi OS
Required Action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guideli
No detection rules found.
No public exploits indexed.
Checkpoint
29th June – Threat Intelligence Report
blogs_checkpoint·2026-06-29
CVE-2026-20245 29th June – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 29th June – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 29th June, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Polymarket, a large cryptocurrency-based prediction market, has confirmed a supply chain attack after a third-party frontend vendor breach led to malicious JavaScript being injected into its website. Attackers tricked users into approving fraudulent transactions, stealing about $3 million from fewer than 15 accounts, while the b
Hackernews
CISA Warns Critical Lantronix EDS5000 Flaw Is Being Actively Exploited
blogs_hackernews·2026-06-24·CVSS 9.8
CVE-2025-67038 [CRITICAL] CISA Warns Critical Lantronix EDS5000 Flaw Is Being Actively Exploited
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## CISA Warns Critical Lantronix EDS5000 Flaw Is Being Actively Exploited
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday warned of active exploitation of a critical security flaw impacting Lantronix EDS5000 Series devices, urging Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 26, 2026.
The vulnerability in question is CVE-2025-67038 (CVSS score: 9.8), a code injection flaw that could result in the execution of arbitrary commands with elevated privileges.
"The HTTP RPC module executes a shell command to write logs when the user's authentication fails," according to the
Bleepingcomputer
CISA warns of max severity Ubiquiti flaws exploited in attacks
blogs_bleepingcomputer·2026-06-24·CVSS 9.8
CVE-2026-34908 [CRITICAL] CISA warns of max severity Ubiquiti flaws exploited in attacks
## CISA warns of max severity Ubiquiti flaws exploited in attacks
## Bill Toulas
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of hackers actively exploiting flaws in Ubiquity UniFi OS and Lantronix serial-to-ethernet servers.
According to the BOD 26-04 directive , federal agencies have three days to apply available security updates or vendor-recommended mitigations.
The Ubiquiti flaws that CISA added to its catalog of Known Exploited Vulnerabilities are:
CVE-2026-34908 : an access control bypass flaw that allows an unauthenticated attacker to make unauthorized changes to a UniFi OS system, potentially leading to full system compromise.
CVE-2026-34909 : a directory/path traversal vulnerability that allows an attacker to access sensitive files on the unde
Hackernews
⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More
blogs_hackernews·2026-06-15·CVSS 8.8
CVE-2026-11645 [HIGH] ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More
Stuff broke again. Not in a movie way. An old tool was left exposed. An abandoned package was abused. A deprecated feature was still running in prod.
This week is the same lesson in a new form: phishing kits are easier to rent, AI names are useful bait, old login paths still fail, and forgotten software keeps becoming someone else's entry point.
Scroll through the full Monday Cybersecurity Recap below for the news, tools, webinars, and fixes worth your time this week.
## ⚡ Threat of the Week
Google Patches Actively Exploited Chrome 0-Day - G
Hackernews
⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More
blogs_hackernews·2026-06-08·CVSS 8.4
CVE-2025-48595 [HIGH] ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More
Monday again. The weekend was meant to be quiet. It wasn't. Last week had poisoned packages, a broken AI helper, and a worm tearing through repos. The ugly part: basic tricks still worked.
A chatbot got fooled. A bot token got leaked inside the malware. The same old mistakes showed up again. And while everyone chased the loud stuff, quieter attackers sat in inboxes for months, reading mail and stealing it bit by bit.
Lots to cover. Grab coffee. Read up.
## ⚡ Threat of the Week
Miasma Worm Hits 73 Microsoft GitHub Repositories in Supply Chain
Bleepingcomputer
Critical UniFi OS bug lets hackers gain root without authentication
blogs_bleepingcomputer·2026-06-08·CVSS 10.0
CVE-2026-34908 [CRITICAL] Critical UniFi OS bug lets hackers gain root without authentication
## Critical UniFi OS bug lets hackers gain root without authentication
## Bill Toulas
Attackers can chain three already fixed vulnerabilities in the Ubiquiti UniFi OS server to execute remote code with root privileges and without authentication.
The security issues are tracked as CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910. They have been addressed in May and impact UniFi OS Server versions 5.0.6 and earlier.
While all three flaws received the maximum severity rating despite their exploitation requiring access to the network, the vendor's advisory did not mention that they could be chained for remote code execution.
CVE-2026-34908 is an improper access control flaw that can allow unauthorized changes to vulnerable systems
CVE-2026-34909 is a path traversal vulnerability that c
Hackernews
⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos
blogs_hackernews·2026-05-25
CVE-2026-46333 ⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos
Monday recap. Same mess, new week.
A sketchy dev tool got people pwned, old bugs came back from the dead, and security products somehow needed protecting from themselves. A bunch of companies spent the week checking old boxes and forgotten servers they should've patched years ago. Good times.
Phishing crews are getting smarter too - less obvious scam junk, more targeted stuff that actually looks real. Meanwhile, botnets are grabbing anything exposed to the internet like it's free candy. The Internet's still a dumpster fire.
Let’s get into
Bleepingcomputer
Ubiquiti patches three max severity UniFi OS vulnerabilities
blogs_bleepingcomputer·2026-05-22·CVSS 10.0
CVE-2026-34908 [CRITICAL] Ubiquiti patches three max severity UniFi OS vulnerabilities
## Ubiquiti patches three max severity UniFi OS vulnerabilities
## Sergiu Gatlan
Ubiquiti has released security updates to patch three maximum severity vulnerabilities in UniFi OS that can be exploited by remote attackers without privileges.
UniFi OS is a unified operating system that powers UniFi Consoles and helps manage IT infrastructure, including networking, security, and other services, as well as UniFi applications such as UniFi Network, UniFi Protect, UniFi Access, UniFi Talk, and UniFi Connect.
The first flaw ( CVE-2026-34908 ) enables attackers to make unauthorized changes to targeted systems by exploiting an Improper Access Control weakness in UniFi OS, while the second ( CVE-2026-34909 ) allows them to access files on the underlying system by abusing a Path Traversal vulner
2026-05-22
Published
2026-06-23
Added to CISA KEV
Exploited in the wild